ipaservice: Allow execution of plugin in client host.

Update service README file and add tests for executing plugin with `ipaapi_context` set to `client`. A new test playbook can be found at: tests/service/test_service_client_context.yml The new test file can be executed in a FreeIPA client host that is not a server. In this case, it should be defined in the `ipaclients` group, in the inventory file.

ipaservice: Allow execution of plugin in client host.
f1381edc · Rafael Guterres Jeffman · 27b50957 · f1381edc · f1381edc · f1381edc
Commit f1381edc authored 3 years ago by Rafael Guterres Jeffman
--- a/README-service.md
+++ b/README-service.md
@@ -291,6 +291,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no

--- a/tests/service/env_cleanup.yml
+++ b/tests/service/env_cleanup.yml
@@ -3,6 +3,7 @@
 - name: Ensure services are absent.
  ipaservice:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name:
      - "HTTP/{{ svc_fqdn }}"
      - "HTTP/{{ nohost_fqdn }}"
@@ -16,6 +17,7 @@
 - name: Ensure host "{{ svc_fqdn }}" is absent
  ipahost:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name: "{{ svc_fqdn }}"
    update_dns: yes
    state: absent
@@ -23,6 +25,7 @@
 - name: Ensure host is absent
  ipahost:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name:
      - "{{ host1_fqdn }}"
      - "{{ host2_fqdn }}"
@@ -34,6 +37,7 @@
 - name: Ensure testing users are absent.
  ipauser:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name:
    - user01
    - user02
@@ -42,6 +46,7 @@
 - name: Ensure testing groups are absent.
  ipagroup:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name:
    - group01
    - group02
@@ -50,6 +55,7 @@
 - name: Ensure testing hostgroup hostgroup01 is absent.
  ipagroup:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name:
      - hostgroup01
    state: absent
@@ -57,6 +63,7 @@
 - name: Ensure testing hostgroup hostgroup02 is absent.
  ipagroup:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name:
      - hostgroup02
    state: absent
@@ -64,6 +71,7 @@
 - name: Remove IP address for "nohost" host.
  ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    zone_name: "{{ test_domain }}."
    name: nohost
    del_all: yes

--- a/tests/service/env_setup.yml
+++ b/tests/service/env_setup.yml
@@ -10,6 +10,7 @@
 - name: Add IP address for "nohost" host.
  ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    zone_name: "{{ test_domain }}."
    name: nohost
    a_ip_address: "{{ ipv4_prefix + '.100' }}"
@@ -17,6 +18,7 @@
 - name: Add hosts for tests.
  ipahost:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    hosts:
      - name: "{{ host1_fqdn }}"
        ip_address: "{{ ipv4_prefix + '.101' }}"
@@ -31,6 +33,7 @@
 - name: Ensure testing user user01 is present.
  ipauser:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name: user01
    first: user01
    last: last
@@ -38,6 +41,7 @@
 - name: Ensure testing user user02 is present.
  ipauser:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name: user02
    first: user02
    last: last
@@ -45,19 +49,23 @@
 - name: Ensure testing group group01 is present.
  ipagroup:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name: group01
 - name: Ensure testing group group02 is present.
  ipagroup:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name: group02
 - name: Ensure testing hostgroup hostgroup01 is present.
  ipahostgroup:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name: hostgroup01
 - name: Ensure testing hostgroup hostgroup02 is present.
  ipahostgroup:
    ipaadmin_password: SomeADMINpassword
+    ipaapi_context: "{{ ipa_context | default(omit) }}"
    name: hostgroup02
--- a/tests/service/test_service.yml
+++ b/tests/service/test_service.yml
@@ -12,7 +12,7 @@
 #
 ---
 - name: Test service
-  hosts: ipaserver
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
  become: yes
  tasks:
@@ -28,6 +28,7 @@
      - name: Ensure service is present
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          pac_type:
            - MS-PAC
@@ -44,6 +45,7 @@
      - name: Ensure service is present, again
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          pac_type:
            - MS-PAC
@@ -60,6 +62,7 @@
      - name: Modify service.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          pac_type: NONE
          ok_as_delegate: yes
@@ -70,6 +73,7 @@
      - name: Modify service, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          pac_type: NONE
          ok_as_delegate: yes
@@ -80,6 +84,7 @@
      - name: Ensure service is present, without host object.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ nohost_fqdn }}"
          skip_host_check: yes
        register: result
@@ -88,6 +93,7 @@
      - name: Ensure service is present, without host object, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ nohost_fqdn }}"
          skip_host_check: yes
        register: result
@@ -96,6 +102,7 @@
      - name: Ensure service is present, with host not in DNS.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: HTTP/svc.ihavenodns.info
          skip_host_check: no
          force: yes
@@ -105,6 +112,7 @@
      - name: Ensure service is present, with host not in DNS, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: HTTP/svc.ihavenodns.info
          skip_host_check: no
          force: yes
@@ -114,6 +122,7 @@
      - name: Ensure service is present, whithout host object and with host not in DNS.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: HTTP/no.idontexist.info
          skip_host_check: yes
          force: yes
@@ -123,6 +132,7 @@
      - name: Ensure service is present, whithout host object and with host not in DNS, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: HTTP/no.idontexist.info
          skip_host_check: yes
          force: yes
@@ -132,6 +142,7 @@
      - name: Principal host/test.example.com present in service.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          principal:
            - host/test.example.com
@@ -142,6 +153,7 @@
      - name: Principal host/test.example.com present in service, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          principal:
            - host/test.example.com
@@ -153,6 +165,7 @@
      - name: Principal host/test.example.com absent in service.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          principal:
            - host/test.example.com
@@ -164,6 +177,7 @@
      - name: Principal host/test.example.com absent in service, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          principal:
            - host/test.example.com
@@ -176,6 +190,7 @@
      - name: Ensure host can manage service.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          host:
          - "{{ host1_fqdn }}"
@@ -187,6 +202,7 @@
      - name: Ensure host can manage service, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          host: "{{ host1_fqdn }}"
          action: member
@@ -196,6 +212,7 @@
      - name: Ensure host cannot manage service.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          host:
          - "{{ host1_fqdn }}"
@@ -208,6 +225,7 @@
      - name: Ensure host cannot manage service, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          host:
          - "{{ host1_fqdn }}"
@@ -220,6 +238,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_create_keytab_user:
          - user01
@@ -240,6 +259,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_create_keytab_user:
          - user01
@@ -260,6 +280,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_create_keytab_user:
          - user01
@@ -281,6 +302,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_create_keytab_user:
          - user01
@@ -302,6 +324,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_retrieve_keytab_user:
          - user01
@@ -322,6 +345,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_retrieve_keytab_user:
          - user01
@@ -342,6 +366,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_retrieve_keytab_user:
          - user01
@@ -363,6 +388,7 @@
      - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          allow_retrieve_keytab_user:
          - user01
@@ -384,6 +410,7 @@
      - name: Ensure service is absent
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          continue: yes
          state: absent
@@ -393,6 +420,7 @@
      - name: Ensure service is absent, again
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          continue: yes
          state: absent
@@ -402,6 +430,7 @@
      - name: Ensure service is present, with multiple auth_ind values.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          auth_ind: otp,radius
          skip_host_check: no
@@ -412,6 +441,7 @@
      - name: Ensure service is present, with multiple auth_ind values, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          auth_ind: otp,radius
          skip_host_check: no
@@ -422,6 +452,7 @@
      - name: Clear auth_ind.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          auth_ind: ""
          skip_host_check: no
@@ -432,6 +463,7 @@
      - name: Clear auth_ind, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "HTTP/{{ svc_fqdn }}"
          auth_ind: ""
          skip_host_check: no
@@ -442,6 +474,7 @@
      - name: Ensure services are absent.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name:
          - "HTTP/{{ svc_fqdn }}"
          - "HTTP/{{ nohost_fqdn }}"
@@ -455,6 +488,7 @@
      - name: Ensure services are absent.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name:
          - "HTTP/{{ svc_fqdn }}"
          - "HTTP/{{ nohost_fqdn }}"
@@ -468,6 +502,7 @@
      - name: Ensure SMB service is present.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "{{ host1_fqdn }}"
          pac_type: NONE
          smb: yes
@@ -478,6 +513,7 @@
      - name: Ensure SMB service is again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "{{ host1_fqdn }}"
          pac_type: NONE
          smb: yes
@@ -488,6 +524,7 @@
      - name: Modify SMB service.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "{{ host1_fqdn }}"
          smb: yes
          netbiosname: SAMBASVC
@@ -503,6 +540,7 @@
      - name: Modify SMB service, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "{{ host1_fqdn }}"
          smb: yes
          netbiosname: SAMBASVC
@@ -518,6 +556,7 @@
      - name: Ensure SMB service is absent.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "cifs/{{ host1_fqdn }}"
          continue: yes
          state: absent
@@ -527,6 +566,7 @@
      - name: Ensure SMB service is absent, again.
        ipaservice:
          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: "cifs/{{ host1_fqdn }}"
          continue: yes
          state: absent

--- a/tests/service/test_service_client_context.yml
+++ b/tests/service/test_service_client_context.yml
+---
+- name: Test service
+  hosts: ipaclients, ipaserver
+  become: no
+  gather_facts: no
+  tasks:
+  - name: Include FreeIPA facts.
+    include_tasks: ../env_freeipa_facts.yml
+  # Test will only be executed if host is not a server.
+  - name: Execute with server context in the client.
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server
+      name: ThisShouldNotWork
+    register: result
+    failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
+    when: ipa_host_is_client
+# Import basic module tests, and execute with ipa_context set to 'client'.
+# If ipaclients is set, it will be executed using the client, if not,
+# ipaserver will be used.
+#
+# With this setup, tests can be executed against an IPA client, against
+# an IPA server using "client" context, and ensure that tests are executed
+# in upstream CI.
+- name: Test service using client context, in client host.
+  import_playbook: test_service.yml
+  when: groups['ipaclients']
+  vars:
+    ipa_test_host: ipaclients
+- name: Test service using client context, in server host.
+  import_playbook: test_service.yml
+  when: groups['ipaclients'] is not defined or not groups['ipaclients']